Title: A method for forensic artefact collection, analysis and incident response in environments running session initiation protocol and session description protocol

Authors: Ioannis Psaroudakis; Vasilios Katos; Panagiotis Saragiotis; Lilian Mitrou

Addresses: Information Security and Incident Response Unit, Democritus University of Thrace, Vas. Sofias 12, Xanthi 67100, Greece ' Information Security and Incident Response Unit, Democritus University of Thrace, Vas. Sofias 12, Xanthi 67100, Greece ' System Management & Security Solutions, DG. DIGIT Unit A.2, B-28 03/054 – Rue Belliard, 28 – 1049, Brussels ' Department of Information and Communication Systems Engineering, University of the Aegean, Lymberis Building, Karlovassi, Samos, 83200, Greece

Abstract: In this paper, we perform an analysis of SIP, a popular voice over IP (VoIP) protocol and propose a framework for capturing and analysing volatile VoIP data in order to determine forensic readiness requirements for effectively identifying an attacker. The analysis was performed on real attack data and the findings were encouraging. It seems that if appropriate forensic readiness processes and controls are in place, a wealth of evidence can be obtained. The type of the end user equipment of the internal users, the private IP, the software that is used can help build a reliable baseline information database. On the other hand the private IP addresses of the potential attacker even during the presence of NAT services, as well as and the attack tools employed by the malicious parties are logged for further analysis.

Keywords: network forensics; session initiation protocol; SIP; VoIP forensics; intrusion detection systems; IDS; network logging; forensic artefacts; incident response; session description protocol; voice over IP; forensic readiness; malicious attacks; security.

DOI: 10.1504/IJESDF.2014.065737

International Journal of Electronic Security and Digital Forensics, 2014 Vol.6 No.4, pp.241 - 267

Received: 28 Mar 2014
Accepted: 02 Jun 2014

Published online: 26 Nov 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article